Is anybody getting this or is OpenSSL a dead product ? Is there a
listserv somewhere that may be able to help me ?
Ron
--------------------------------------------------------------------
Ron Nutter [EMAIL PROTECTED]
Network Manager
Information Technology Services (502)863-7002
Georgetown College
Georgetown, KY 40324-1696
--------------------------------------------------------------------
-----Original Message-----
From: Ronald I. Nutter
Sent: Wednesday, November 03, 2004 2:48 PM
To: '[EMAIL PROTECTED]'
Subject: Problems genning certificates
I am trying to get OpenSSL to work with Freeradius. I am running the
CA.all perl script but am getting errors that I cant find the cause for.
I have modified the openssl.cnf to put the defaults for my install. I
am seeing errors unable to load certificate and missing directory but
don't see anything in the CA.all script that points to the problem.
Would appreciate any suggestions.
Ron
[EMAIL PROTECTED] ssl]# ./CA.all
##################
create private key
name : name-root
CA.pl -newcert
##################
Generating a 1024 bit RSA private key
...++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]: Organizational
Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network
Manager]: Email Address [EMAIL PROTECTED]:
##################
create CA
use just created 'newreq.pem' private key as filename
CA.pl -newca
##################
##################
exporting ROOT CA
CA.pl -newreq
CA.pl -signreq
openssl pkcs12 -export -in demoCA/cacert.pem -inkey
newreq.pem -out root.pem
openssl pkcs12 -in root.cer -out root.pem
##################
No certificate matches private key
22411:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140: unable to load certificate 22412:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED
CERTIFICATE
##################
creating client certificate
name : name-clt
client certificate stored as cert-clt.pem
CA.pl -newreq
CA.pl -signreq
##################
Generating a 1024 bit RSA private key ........................++++++
..++++++ writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]: Organizational
Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network
Manager]: Email Address [EMAIL PROTECTED]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [whatever]:whatever
An optional company name []:
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 3 19:31:02 2004 GMT
Not After : Nov 3 19:31:02 2005 GMT
Subject:
countryName = US
stateOrProvinceName = Kentucky
localityName = Georgetown
organizationName = Georgetown College
organizationalUnitName = ITS
commonName = Network Manager
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:F9:44:79:B8:2C:EB:07:93:59:5F:FB:22:C7:2A:79:16:E8:4F:98
X509v3 Authority Key Identifier:
keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
Manager/[EMAIL PROTECTED]
serial:00
Certificate is to be certified until Nov 3 19:31:02 2005 GMT (365 days)
Sign the certificate? [y/n]:y
-passin: No such file or directory
22414:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('-passin','r')
22414:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
No certificate matches private key 22416:error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load
certificate 22417:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
##################
creating server certificate
name : name-srv
server certificate stored as cert-srv.pem
CA.pl -newreq
CA.pl -signreq
##################
Generating a 1024 bit RSA private key
........................................++++++
.........................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Kentucky]:
Locality Name (eg, city) [Georgetown]:
Organization Name (eg, company) [Georgetown College]: Organizational
Unit Name (eg, section) [ITS]: Common Name (eg, YOUR name) [Network
Manager]: Email Address [EMAIL PROTECTED]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [whatever]:
An optional company name []:
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 3 19:31:59 2004 GMT
Not After : Nov 3 19:31:59 2005 GMT
Subject:
countryName = US
stateOrProvinceName = Kentucky
localityName = Georgetown
organizationName = Georgetown College
organizationalUnitName = ITS
commonName = Network Manager
emailAddress = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5E:BC:CE:F7:C5:B1:38:54:E8:FA:2A:12:08:A9:06:25:06:55:D6:BD
X509v3 Authority Key Identifier:
keyid:EC:B1:D2:59:87:8B:E5:6D:67:C8:0E:94:F1:DE:2C:BA:40:A4:CB:B3
DirName:/C=US/ST=Kentucky/OU=ITS/CN=Network
Manager/[EMAIL PROTECTED]
serial:00
Certificate is to be certified until Nov 3 19:31:59 2005 GMT (365 days)
Sign the certificate? [y/n]:y
-passin: No such file or directory
22419:error:02001002:system library:fopen:No such file or
directory:bss_file.c:276:fopen('-passin','r')
22419:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
No certificate matches private key 22421:error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long:asn1_lib.c:140: unable to load
certificate 22422:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
##################
--------------------------------------------------------------------
Ron Nutter [EMAIL PROTECTED]
Network Manager
Information Technology Services (502)863-7002
Georgetown College
Georgetown, KY 40324-1696
--------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
